DEFCON31 - Hidden Gems In Temporary Mail Services
What is TempMail
Temporary mail services, also known as disposable email services are generally free email services that allow you to receive emails at a temporary address that self-destructs after a certain time elapses.
While some temporary email services are public and open for everyone’s shared use, others offer paid private services
Pros
Short Lifespan: Automatically delete the email address and all associated messages after a set time.
No Long Term Commitment: Users don’t have to sign up or provide any personal information to use a temporary email address.
Anonymity: They allow users to receive emails without revealing their actual email addresses.
Cons
But It Should be noted that the mails are hosted on the servers of these services. So the mails you receive can be accessible from that service providers. And we don’t know they are actually destroy the inboxes.
Spam Avoidance: According to these services, incoming mails are said to be safe because they pass through a spam filter of their own. This protection can be ok for the newbies but for the experienced hackers its not working well.
Public Accessibility: Many temporary mail services reveal inboxes to the public. This means that anyone can access all the emails that have been received by that inbox. While this feature provides ease of access, it also poses significant privacy risks if sensitive information is sent to the address.
Story Behind This Topic
While using a temp mail service for a silly application at a regular time, I noticed that someone had linked an account from a shopping site to it. After resetting the password and accessing the account, I realized there was money in it and active purchases were being made. Then I wondered if such things were common and realized there were tons of similar situations. Then I want to dig deep about the situation and started my research.
Popular Temporary Mail Services That Allow Public Inboxes!
- Tempr.email (https://tempr.email/en/)
- Tempmail plus (https://tempmail.plus/en/#!)
- Yopmail (https://yopmail.com/)
- Dispostable (https://www.dispostable.com/inbox/)
What Are These Gems
In my research, I realized that people use these e-mail addresses as business e-mails addition to that personal Spotify, Netflix, Facebook, Twitter, Instagram, Youtube, Amazon, Aliexpress, Discord, AT&T, Grammarly, Tiktok, Onlyfans, BTC, accounts even Porn Accounts and lots of public IP informations, Patient Recordsand many many more…
While conducting my research, I noticed marketing emails from numerous Viagra sellers and dating apps. Additionally, there were emails from pornographic sites.
Also, in pornographic emails, the IP address from which a user logged in can be leaked.
So I hope that the users who use Temp Mail Services in their private life also use VPNs.
Examples
Spotify and Steam Account Example
Random Example. Dance Class Training Application.
I just saw an email inside YOPMail and its about Dance Class Training, when I reset the password and enter the account, I realized
Almost everyone who has an account inside this application use YOPMail.
There is a location about the class, cost information, history about dance class.
THERE ARE MANY APPLICATION, THAT I HEARD THE NAMES FIRST TIME. AND I BELIEVE ITS increasing day by day.
Booking Class information,
Studio information,
Credit Card information. There is a saved credit card inside the account
Another examples about Kanoopayy, Temu accounts..
Also as you can see someone uses kanopays, and inside the mail they inform the user about cash card reserve account.
And temu is a shopping website.
Discord account, but when I try to enter this account, it has been set up with MFA.
But I only try once for discord account, so maybe you can find any account without MFA.
Instagram Accounts
Just reset the account password via mail, set a new password and login to the account.
Mail about AT&T prepaid Rate Plan Successully renewed.
Also there is a Facebook account as you can see.
Amazon AWS Example
Hospital records.
CANDIDATE NAMES, ORDER NUMBERS,
I didnt want to censor this information because its already accessible from temp mail services.
There is More…
AND MORE
Another random account from paxful. Paxful is BTC buying and selling application.
If you want to hunter accounts like this be sure that, don’t takeover account in the beginning of the registiration. Just note the account email address and delete all regarding mails from yopmail after couple minutes later that be sure no one but you know that account other than the owner. And then just wait its up to you maybe a month later or maybe a week later you can takeover that accounts with inside money or BTC.
You can also find OnlyFans accounts that are already subscribed to some onlyfans girls if you’re interested.
I don’t prefer to use Onlyfans :D
Another account.
Please NOTE THAT the onlyfans girls that are used in this slides are not an ADVERTISEMENT.
Interesting Invoices.
Someone just bought something and there is invoice
Interesting Invoices.
So you can just send a mail to the owner for social engineering purposes. Because there are many pieces if information leaked here you can use.
Remember every bit of information is useful for Social Engineering purposes.
Hey Abdul, these items bla bla bla that you ordered will be sent to the address bla bla bla stuck in the customs so you need to pay. Payment Link. Example Customs Payment Website.
Easy Money.
Example of Social Engineering Email:
Include a payment link or a fake customs website; the choice is up to the attacker and depends on the scenario.
Alternatively, you can get other information with that type of Social Engineering Attacks.
This method is effective because you have all the details about the order. It appears legitimate.
If you are lucky, you can find your perfect match from temporary mail services.
IP information everywhere.
Financial information. Threre is a profit information there.
Its about positions, EURO between Canadian dolar.
And as you can see there is a previous ledger balance something like 5k and , available margin decreased to 4k…
Netflix account, but as I said you need to be patient if you want to get good gems.
Delete regarding emails and note the mail. Then Takeover account in the future
I dont know, I found a website called bitby, and when I enter its said you have nearly 69 Bitcoin.
Wait whaat!
Probably a fake website but good one.
I’ll be very sorry if its legit btw :D
Continue with accounts, Playstation plus, tiktok accounts.
There is a Temu order information mail.
I takeover one of the temu account because its not register mail, its order mail
Live account
Live Order
Credit Card and Address information.
Here is some information about the emails I’ve collected.
Most of the emails come from TikTok, Intelliverse, and Supercell. However, as you can see, there are many other applications not listed here, as including them would require numerous slides.
In summary, you can find all kinds of accounts you want here.
In today’s world, every piece of information is invaluable.
The softwares used by blue teams and cyber intelligence units for gathering information has now become highly advanced.
If your password has been leaked on any darkweb site or a public hacker forum, websites notify you immediately and advise you to change your password.
Some websites even change your password without taking confirmation to a randomly generated one and then inform you about the situation to prevent any unauthorized usage.
And I believe that in the near future these intelligence software programs will add a modules about these temporary mail services.
Because believe me, there are so many things going on in these mail services. And because of that…
TempMailSpy
I wrote a python script that automatically crawl temporary mail services.
A fully customizable config. For instance, consider a company named ACME Limited. This company can continuously crawl these email services. The only thing they need to do is add their company name to the config.json file. My tool will then alert the company if any emails related to them appear in public inboxes.
Keywords field for GREPPING OPTION
Tokens for notification. TOOL USAGE
Now, I will tell you about a very enjoyable and beautiful example I encountered regarding my topic.
Just another day with Temp Mail Reconning and TempMailSpy found an invoice.
While I inspect the invoice…
I found a little icon that called phpdebugger, and after I clicked that button debugging page opened.
As you can see email is blabla@yopmail.com, thats why my Script found that invoice.
And as you can see there is a endpoint here ends with /login
And I did more recon, I found /admin endpoint.
And in the /admin endpoint with phpdebugger I found the email and password data and also the email is still yopmail.
So can you believe that there is an admin account registered with temporary mail.
I tried to login with the credentials that I found
Application asked OTP from me. Then I realised I owned the email address inbox because its public
This inbox is public but the first name is specific thats why you can see there is only an OTP request from that admin page nothing more…
I successfully logged in to the admin page
More temp mail addresses.
So this company is use %95 percent public temp mail addresses.
Even Business Accounts have TempMail Addressses. Business Accounts equals client accounts
Got the server informations
Access to the Database.
Full Access to mail and company users information.
Important documents include worker names, security numbers, ID numbers, employee names etc
Government level documents
MORE AND MORE BUT THERE IS NOT TIME SO I DIDN’T ADD ALL OF THE DOCUMENTS TO MY SLIDE
Inside the customer accounts There is Money and also invoices, sales customer information…
And somehow I able to get a shell from that company.
Important Note: The relevant vulnerability has been reported to the company and has been remedied. During the research, no actions were taken that would harm the company’s servers or disrupt their operations.
More than 16 application
Each application has a different database and environmental informations. Mail username Mail password Ssl cert private key Jwt secret
NAMES EMAILS PASSWORDS
Also I found another admin account from the database to login different website.
More yopMAil accounts that use applications.
Logged different applications.
Cracked a lots of passwords. Loggedin more applications.
More important informations.
Company Mail Accounts
With the password and username information entered more company email accounts
Payments informations including secrets API keys, everything for getting and sending payment. And All of them is live data.
More Account informations
More hash cracking
More Yopmail Accounts
-
At the end of the day, with this research of mine, I obtained hundreds of personal accounts, shopping accounts with money inside, patient informations, IP details, premium accounts, company informations, company accounts, compromised company email accounts, credit card informations, dozens of web applications, numerous databases containing live data, private and confidential API keys, passwords, government documents, email correspondences, secret payment system APIs, company bank accounts, SMS sending APIs, invoices, customer accounts with money in them, and many more things like these. However, in order to keep up with time, I couldn’t put most of these into the presentation.
-
While conducting this research, my IP addresses were banned multiple times by temporary mail services. Therefore, unfortunately, I had to continue my research using a VPN. Additionally, yopMail didn’t use captcha for email display in the past, and I had shaped my tool accordingly. However, now I had to rewrite my tool in a different way because of this change. Also I’ll add proxy module soon for bypass rate limiting issues.